Skip to content
RESEARCH SERIES

Tracking TeamPCP

A V-Spot research series tracking a single threat actor cluster across the 2026 npm and PyPI supply chain attacks. We update this page each time the cluster surfaces in a new incident.

TeamPCP is the threat actor cluster behind the Mini Shai-Hulud worm campaign. Their attacks chain compromised maintainer credentials, GitHub Actions misconfigurations, and OIDC token extraction to push malicious package versions into widely-installed open-source ecosystems. They reuse infrastructure across operations, which makes them easier to track than most single-incident actors.

V-Spot has shipped three research briefs on this cluster so far. Each one is written for engineering leaders who need to act, not just read. We focus on the gaps that incident write-ups leave behind: the exposure window between detection and remediation, the boundary conditions where standard defences fail, and the concrete moves that reduce blast radius now.

What this series argues

The TeamPCP arc is the clearest 2026 evidence that supply chain attacks have moved from credential theft into pipeline integrity. The earlier incidents we covered (Axios in March) relied on conventional account compromise. The later ones (Mini Shai-Hulud in May) rode the legitimate build pipeline through SLSA Build Level 3 attestations and produced cryptographically signed malware. The shift matters because it tells defenders where to look: not at the publish step, but at the build environment.

Each brief in this series builds on the last. Read them in order if this is your first stop. Read the most recent one if you are already tracking the cluster and need the freshest analysis.

The series

  1. Part 019 min read

    What the Axios Advisories Aren't Telling You About npm Supply Chain Risk

    The 31 March Axios npm compromise produced a wave of standard hardening advice: block postinstall, audit dependencies, rotate tokens. V-Spot's research division on what most of those checklists miss, the detection-versus-exposure gap that defines 2026 supply chain risk, and a tactical playbook for what actually holds.

    Read the brief
  2. Part 0212 min read

    MCPwn (CVE-2026-33032): How One Missing Middleware Call Validated the MCP Threat Model

    In April 2026, CVE-2026-33032 became the first widely-exploited Model Context Protocol vulnerability in the wild. Pluto Security codenamed it MCPwn. The mechanism was a single missing middleware call. V-Spot's research division on what it actually validates about MCP server security in production.

    Read the brief
  3. Part 0312 min read

    The npm Worm That Broke SLSA: Reading Mini Shai-Hulud, TanStack, and the OpenAI Incident

    On 11 May 2026, a self-spreading npm worm called Mini Shai-Hulud compromised 42 TanStack packages in six minutes, hit OpenAI's developer environment, and shipped malicious code with valid SLSA Build Level 3 attestations attached. V-Spot's reading of how the defence became the delivery vehicle, and what every team using npm should do about it.

    Read the brief

Methodology

Each brief in this series applies V-Spot's four-question dependency review framework to the incident.

Read the methodology